They keep finding that huge spam campaigns were run by one guy from his bedroom. I can't remember which specific spam campaign was recently caught, it might've been the phone spam about car insurance. It was one guy with a huge botnet.
In total they are a finite set, and even catching 5% of them will scare the rest.
I interpret that the opposite way: if a huge spam campaign can be run by a guy in his bedroom, there’s no way that larger spam operators can be effectively killed by legal action. They’ll just employ different guys in different bedrooms. The same thing is true with phone phishing scams—they’re not individually hard to eradicate, but the combination of lucrativeness and rapid-rebootability means that legal crackdowns in the past have not been effective at scaring the rest out of business.